AWS-2024-012
Scope: AWS Content Type: Important (requires attention) Publication Date: 2024/10/21 4:00 PM PDT Description: The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET Core deployment scenario, including AWS Fargate, Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Compute Cloud (Amazon EC2), and AWS Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets. Affected versions: all versions Resolution The repository/package has been deprecated, is End of Life, and is no longer actively supported. Workarounds As a security best practice, ensure that your ELB targets (e.g. EC2 Instances, Fargate Tasks etc.) do not have publi…
Timeline
- Oct 21, 2024 CVE Published
References
- CVE-2024-10125 - missing JWT issuer and signer validation in aws-alb-identity-aspnetcore advisory
- https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature web
- https://dotnet.microsoft.com/apps/aspnet web
- https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html web
- https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding web
- https://github.com/awslabs/aws-alb-identity-aspnetcore/security/advisories/GHSA-5gh5-cc5m-q244 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-10125 advisory